#alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; content:!"Referer|3a| "; http_header; content:"User-Agent|3a| Java"; http_header; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:3;)

Added 2011-10-19 18:51:45 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Java"; nocase; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; classtype:trojan-activity; sid:2011576; rev:2;)

Added 2011-10-12 19:32:19 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET"; http_method; content:"/nte/"; http_uri; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Java"; nocase; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; sid:2011576; rev:2;)

Added 2011-02-04 17:31:24 UTC


alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET TROJAN nte Binary Download Attempt (multiple malware variants served)"; flow:established,to_server; content:"GET "; nocase; depth:4; uricontent:"/nte/"; nocase; content:!"|0d 0a|Referer|3a| "; nocase; content:"|0d 0a|User-Agent|3a| Java"; nocase; pcre:"/(\.php|\.asp|\.py|\.exe|\.htm|\.html)\/[A-Z0-9]+$/Ui"; classtype:trojan-activity; reference:url,www.malwaredomainlist.com; reference:url,www.malwareurl.com/search.php?domain=&s=trest1&match=0&rp=200&urls=on&redirs=on&ip=on&reverse=on&as=on; sid:2011576; rev:1;)

Added 2010-09-27 14:23:53 UTC


Topic revision: r1 - 2011-10-19 - TWikiGuest
 
This site is powered by the TWiki collaboration platform Powered by Perl This site is powered by the TWiki collaboration platformCopyright © Emerging Threats